feat: Implement SourceHub ACP

.github/workflows/test-and-upload-coverage.yml

@@ -35,31 +35,57 @@ jobs:
         database-type: [badger-file, badger-memory]
         mutation-type: [gql, collection-named, collection-save]
         lens-type: [wasm-time]
+        acp-type: [local]
         database-encryption: [false]
         include:
           - os: ubuntu-latest
             client-type: go
             database-type: badger-memory
             mutation-type: collection-save
             lens-type: wasm-time
+            acp-type: local
             database-encryption: true
           - os: ubuntu-latest
             client-type: go
             database-type: badger-memory
             mutation-type: collection-save
             lens-type: wazero
+            acp-type: local
             database-encryption: false
           - os: ubuntu-latest
             client-type: go
             database-type: badger-memory
             mutation-type: collection-save
             lens-type: wasmer
+            acp-type: local
+            database-encryption: false
+          - os: ubuntu-latest
+            client-type: go
+            database-type: badger-memory
+            mutation-type: collection-save
+            lens-type: wasm-time
+            acp-type: source-hub
+            database-encryption: false
+          - os: ubuntu-latest
+            client-type: http
+            database-type: badger-memory
+            mutation-type: collection-save
+            lens-type: wasm-time
+            acp-type: source-hub
+            database-encryption: false
+          - os: ubuntu-latest
+            client-type: cli
+            database-type: badger-memory
+            mutation-type: collection-save
+            lens-type: wasm-time
+            acp-type: source-hub
             database-encryption: false
           - os: macos-latest
             client-type: go
             database-type: badger-memory
             mutation-type: collection-save
             lens-type: wasm-time
+            acp-type: local
             database-encryption: false
 ## TODO: https://github.com/sourcenetwork/defradb/issues/2080
 ## Uncomment the lines below to Re-enable the windows build once this todo is resolved.
@@ -68,6 +94,7 @@ jobs:
 ##          database-type: badger-memory
 ##          mutation-type: collection-save
 ##          lens-type: wasm-time
+##          acp-type: local
 ##          database-encryption: false
 
     runs-on: ${{ matrix.os }}
@@ -87,6 +114,7 @@ jobs:
       DEFRA_BADGER_ENCRYPTION: ${{ matrix.database-encryption }}
       DEFRA_MUTATION_TYPE: ${{ matrix.mutation-type }}
       DEFRA_LENS_TYPE: ${{ matrix.lens-type }}
+      DEFRA_ACP_TYPE: ${{ matrix.acp-type }}
 
     steps:
       - name: Checkout code into the directory
@@ -143,6 +171,20 @@ jobs:
           make deps:modules
           make deps:test
 
+      # We have to checkout the source-hub repo and install it ourselves because it
+      # contains replace commands in its go.mod file.
+      - name: Checkout sourcehub code into the directory
+        if: ${{ matrix.acp-type == 'source-hub' }}
+        uses: actions/checkout@v4
+        with:
+          repository: sourcenetwork/sourcehub
+          path: _sourceHub
+
+      - name: Install SourceHub CLI
+        if: ${{ matrix.acp-type == 'source-hub' }}
+        working-directory: _sourceHub
+        run: make install
+
       - name: Run integration tests
         run: make test:coverage
 
@@ -158,6 +200,7 @@ jobs:
             _${{ matrix.database-type }}\
             _${{ matrix.mutation-type }}\
             _${{ matrix.lens-type }}\
+            _${{ matrix.acp-type }}\
             _${{ matrix.database-encryption }}\
           "
           path: coverage.txt

CONTRIBUTING.md

@@ -61,6 +61,7 @@ The following tools are required in order to build and run the tests within this
 
 - [Go](https://go.dev/doc/install)
 - Cargo/rustc, typically installed via [rustup](https://www.rust-lang.org/tools/install)
+- [SourceHub](https://github.com/sourcenetwork/sourcehub), installed via `make install`
 
 ## Documentation
 The overall project documentation can be found at [docs.source.network](https://docs.source.network), and its source at [github.com/sourcenetwork/docs.source.network](https://github.com/sourcenetwork/docs.source.network).

Makefile

@@ -65,7 +65,7 @@ ifdef BUILD_TAGS
 BUILD_FLAGS+=-tags $(BUILD_TAGS)
 endif
 
-TEST_FLAGS=-race -shuffle=on -timeout 5m
+TEST_FLAGS=-race -shuffle=on -timeout 10m
 
 COVERAGE_DIRECTORY=$(PWD)/coverage
 COVERAGE_FILE=coverage.txt
@@ -256,6 +256,10 @@ test\:gql-mutations:
 test\:col-named-mutations:
 	DEFRA_MUTATION_TYPE=collection-named DEFRA_BADGER_MEMORY=true gotestsum --format pkgname -- $(DEFAULT_TEST_DIRECTORIES)
 
+.PHONY: test\:source-hub
+test\:source-hub:
+	DEFRA_ACP_TYPE=source-hub gotestsum --format pkgname -- $(DEFAULT_TEST_DIRECTORIES)
+
 .PHONY: test\:go
 test\:go:
 	go test $(DEFAULT_TEST_DIRECTORIES) $(TEST_FLAGS)

acp/README.md

@@ -436,8 +436,14 @@ To perform authenticated operations you will need to build and sign a JWT token
 
 - `sub` public key of the identity
 - `aud` host name of the defradb api
-
-> The `exp` and `nbf` fields should also be set to short-lived durations.
+- The `exp` and `nbf` fields should also be set to short-lived durations.
+
+Additionally, if using SourceHub ACP, the following must be set:
+- `iss` should be set to the user's DID, e.g. `"did:key:z6MkkHsQbp3tXECqmUJoCJwyuxSKn1BDF1RHzwDGg9tHbXKw"`
+- `iat` should be set to the current unix timestamp
+- `authorized_account` should be set to the SourceHub address of the account signing SourceHub transactions on your
+  behalf - WARNING - this will currently enable this account to make any SourceHub as your user for the lifetime of the
+  token, so please only set this if you fully trust the node/account.
 
 The JWT must be signed with the `secp256k1` private key of the identity you wish to perform actions as.
 

acp/acp.go

@@ -13,9 +13,10 @@ package acp
 import (
 	"context"
 
+	"github.com/sourcenetwork/corelog"
 	"github.com/sourcenetwork/immutable"
 
-	"github.com/sourcenetwork/corelog"
+	"github.com/sourcenetwork/defradb/acp/identity"
 )
 
 var (
@@ -47,7 +48,7 @@ type ACP interface {
 	// otherwise returns error.
 	//
 	// A policy can not be added without a creator identity (sourcehub address).
-	AddPolicy(ctx context.Context, creatorID string, policy string) (string, error)
+	AddPolicy(ctx context.Context, creator identity.Identity, policy string) (string, error)
 
 	// ValidateResourceExistsOnValidDPI performs DPI validation of the resource (matching resource name)
 	// that is on the policy (matching policyID), returns an error upon validation failure.
@@ -68,7 +69,7 @@ type ACP interface {
 	// - actorID here is the identity of the actor registering the document object.
 	RegisterDocObject(
 		ctx context.Context,
-		actorID string,
+		indentity identity.Identity,
 		policyID string,
 		resourceName string,
 		docID string,

acp/acp_local.go

@@ -20,6 +20,8 @@ import (
 	"github.com/sourcenetwork/acp_core/pkg/runtime"
 	"github.com/sourcenetwork/acp_core/pkg/types"
 	"github.com/sourcenetwork/immutable"
+
+	"github.com/sourcenetwork/defradb/acp/identity"
 )
 
 const localACPStoreName = "local_acp"
@@ -105,14 +107,14 @@ func (l *ACPLocal) Close() error {
 
 func (l *ACPLocal) AddPolicy(
 	ctx context.Context,
-	creatorID string,
+	creator identity.Identity,
 	policy string,
 	marshalType policyMarshalType,
 	creationTime *protoTypes.Timestamp,
 ) (string, error) {
-	principal, err := auth.NewDIDPrincipal(creatorID)
+	principal, err := auth.NewDIDPrincipal(creator.DID)
 	if err != nil {
-		return "", newErrInvalidActorID(err, creatorID)
+		return "", newErrInvalidActorID(err, creator.DID)
 	}
 	ctx = auth.InjectPrincipal(ctx, principal)
 
@@ -152,15 +154,15 @@ func (l *ACPLocal) Policy(
 
 func (l *ACPLocal) RegisterObject(
 	ctx context.Context,
-	actorID string,
+	identity identity.Identity,
 	policyID string,
 	resourceName string,
 	objectID string,
 	creationTime *protoTypes.Timestamp,
 ) (RegistrationResult, error) {
-	principal, err := auth.NewDIDPrincipal(actorID)
+	principal, err := auth.NewDIDPrincipal(identity.DID)
 	if err != nil {
-		return RegistrationResult_NoOp, newErrInvalidActorID(err, actorID)
+		return RegistrationResult_NoOp, newErrInvalidActorID(err, identity.DID)
 	}
 
 	ctx = auth.InjectPrincipal(ctx, principal)

acp/acp_local_test.go

@@ -15,11 +15,19 @@ import (
 	"testing"
 
 	"github.com/stretchr/testify/require"
+
+	"github.com/sourcenetwork/defradb/acp/identity"
 )
 
-var identity1 = "did:key:z7r8os2G88XXBNBTLj3kFR5rzUJ4VAesbX7PgsA68ak9B5RYcXF5EZEmjRzzinZndPSSwujXb4XKHG6vmKEFG6ZfsfcQn"
-var identity2 = "did:key:z7r8ooUiNXK8TT8Xjg1EWStR2ZdfxbzVfvGWbA2FjmzcnmDxz71QkP1Er8PP3zyLZpBLVgaXbZPGJPS4ppXJDPRcqrx4F"
-var invalidIdentity = "did:something"
+var identity1 = identity.Identity{
+	DID: "did:key:z7r8os2G88XXBNBTLj3kFR5rzUJ4VAesbX7PgsA68ak9B5RYcXF5EZEmjRzzinZndPSSwujXb4XKHG6vmKEFG6ZfsfcQn",
+}
+var identity2 = identity.Identity{
+	DID: "did:key:z7r8ooUiNXK8TT8Xjg1EWStR2ZdfxbzVfvGWbA2FjmzcnmDxz71QkP1Er8PP3zyLZpBLVgaXbZPGJPS4ppXJDPRcqrx4F",
+}
+var invalidIdentity = identity.Identity{
+	DID: "did:something",
+}
 
 var validPolicyID string = "d59f91ba65fe142d35fc7df34482eafc7e99fed7c144961ba32c4664634e61b7"
 var validPolicy string = `
@@ -478,7 +486,7 @@ func Test_LocalACP_InMemory_CheckDocAccess_TrueIfHaveAccessFalseIfNotErrorOtherw
 	hasAccess, errCheckDocAccess := localACP.CheckDocAccess(
 		ctx,
 		ReadPermission,
-		identity1,
+		identity1.DID,
 		validPolicyID,
 		"",
 		"",
@@ -491,7 +499,7 @@ func Test_LocalACP_InMemory_CheckDocAccess_TrueIfHaveAccessFalseIfNotErrorOtherw
 	hasAccess, errCheckDocAccess = localACP.CheckDocAccess(
 		ctx,
 		ReadPermission,
-		identity1,
+		identity1.DID,
 		validPolicyID,
 		"users",
 		"documentID_XYZ",
@@ -513,7 +521,7 @@ func Test_LocalACP_InMemory_CheckDocAccess_TrueIfHaveAccessFalseIfNotErrorOtherw
 	hasAccess, errCheckDocAccess = localACP.CheckDocAccess(
 		ctx,
 		ReadPermission,
-		identity1,
+		identity1.DID,
 		validPolicyID,
 		"users",
 		"documentID_XYZ",
@@ -525,7 +533,7 @@ func Test_LocalACP_InMemory_CheckDocAccess_TrueIfHaveAccessFalseIfNotErrorOtherw
 	hasAccess, errCheckDocAccess = localACP.CheckDocAccess(
 		ctx,
 		ReadPermission,
-		identity2,
+		identity2.DID,
 		validPolicyID,
 		"users",
 		"documentID_XYZ",
@@ -564,7 +572,7 @@ func Test_LocalACP_PersistentMemory_CheckDocAccess_TrueIfHaveAccessFalseIfNotErr
 	hasAccess, errCheckDocAccess := localACP.CheckDocAccess(
 		ctx,
 		ReadPermission,
-		identity1,
+		identity1.DID,
 		validPolicyID,
 		"",
 		"",
@@ -577,7 +585,7 @@ func Test_LocalACP_PersistentMemory_CheckDocAccess_TrueIfHaveAccessFalseIfNotErr
 	hasAccess, errCheckDocAccess = localACP.CheckDocAccess(
 		ctx,
 		ReadPermission,
-		identity1,
+		identity1.DID,
 		validPolicyID,
 		"users",
 		"documentID_XYZ",
@@ -599,7 +607,7 @@ func Test_LocalACP_PersistentMemory_CheckDocAccess_TrueIfHaveAccessFalseIfNotErr
 	hasAccess, errCheckDocAccess = localACP.CheckDocAccess(
 		ctx,
 		ReadPermission,
-		identity1,
+		identity1.DID,
 		validPolicyID,
 		"users",
 		"documentID_XYZ",
@@ -611,7 +619,7 @@ func Test_LocalACP_PersistentMemory_CheckDocAccess_TrueIfHaveAccessFalseIfNotErr
 	hasAccess, errCheckDocAccess = localACP.CheckDocAccess(
 		ctx,
 		ReadPermission,
-		identity2,
+		identity2.DID,
 		validPolicyID,
 		"users",
 		"documentID_XYZ",
@@ -631,7 +639,7 @@ func Test_LocalACP_PersistentMemory_CheckDocAccess_TrueIfHaveAccessFalseIfNotErr
 	hasAccess, errCheckDocAccess = localACP.CheckDocAccess(
 		ctx,
 		ReadPermission,
-		identity1,
+		identity1.DID,
 		validPolicyID,
 		"users",
 		"documentID_XYZ",
@@ -643,7 +651,7 @@ func Test_LocalACP_PersistentMemory_CheckDocAccess_TrueIfHaveAccessFalseIfNotErr
 	hasAccess, errCheckDocAccess = localACP.CheckDocAccess(
 		ctx,
 		ReadPermission,
-		identity2,
+		identity2.DID,
 		validPolicyID,
 		"users",
 		"documentID_XYZ",